From ee25bca8b9805a4a3ae805d3166b98fb4b20d6f2 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Mon, 15 Mar 2010 23:50:52 +0000
Subject: [PATCH] pull up r23766 from trunk

 ------------------------------------------------------------------------
 r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines

 ticket: 6676
 subject: Ignore improperly encoded signedpath AD elements
 target_version: 1.8.1
 tags: pullup

 We have some reason to believe Microsoft and Heimdal are both using
 the authdata value 142 for different purposes, leading to failures in
 verify_ad_signedpath().  For better interoperability, treat such
 tickets as unsigned, rather than invalid.

ticket: 6676
version_fixed: 1.8.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23809 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/kdc_authdata.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 50975580c..b5de64de2 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context context,
     enc_sp.length = sp_authdata[0]->length;
 
     code = decode_krb5_ad_signedpath(&enc_sp, &sp);
-    if (code != 0)
+    if (code != 0) {
+        /* Treat an invalid signedpath authdata element as a missing one, since
+         * we believe MS is using the same number for something else. */
+        code = 0;
         goto cleanup;
+    }
 
     code = verify_ad_signedpath_checksum(context,
                                          krbtgt,
-- 
2.26.2